A recent malware has been spotted in the wild, known with the name of Cerber. The malware is spread through phishing emails attached with a .zip file containing a malicious JavaScript file. The idea is to trick people to double click on the JavaScript file in order to execute the code on Internet Explorer. The JS is only a dropper responsible to download malware on the victim machine and is recognized by AV with the name of JS/Nemucod.ED!Eldorado. The JS code reported below is the malicious payload of the dropper.

This function is responsible to correctly complete the string in the function ytzte, and so correctly create a new Function to decode the obfuscated payload.

• tiins()

This is the main function, containing the malicious obfuscated payload and the logic to de-obfuscate it. The payload is loaded in the variable zkqqd and is processed in a infinite loop, that ends only when the de-obfuscation process is correctly completed.

• ytzte(cmift)

This is the function responsible to de-obfuscate the malicious code.

In order to decode and understand what this dropper is doing we can use the Developer Tools from Chrome, and go though three simple steps:

1. Extract all the values in the array allocated in the function cjspx()

2. Rebuild the string used to create the new Function in the ytzte function, in order to get a correct syntax.
We can create a new function, called test that will decode the obfuscated payload. The regex matches a string of 5 chars every 5 chars.

Phishing attacks are becoming more and more sophisticated and narrowed. One of the last phishing kit I analyzed is built just to target Italians and filter out people from other countries. The financial institution, target of the phishing campaign is CartaSi, company leader in Italy for electronic payments. CartaSi manages a total of 27 million credit cards, prepaid and debit and guarantees the acceptance service to approximately 600,000 merchants. CartaSi coverage is worth about 50% of the Italian market, while the number of debit cards managed are about a quarter of the market.

Let’s have a look on on the phishing website.

The email sent to phish the victim is poorly designed, but still can trick few people to insert their credentials.

In order to filter the users based on their geolocation, the phishing website uses a PHP plugin called “geoPlugin 1.0”, and allows only the users connecting from Italy:

The initial structure go the phishing kit is very simple and the directory listing is avoided by using a fake 404 page (index.html) in every folder.

The all logic of the phishing website is stored inside the folder acrts where is possible to find the following files

The main file is “login.php” that is the entry point of the phishing website and is responsible to filter the user IP and to collect the username, password and IP address of the user. The information collected, are stored inside three files:

After the phisher successfully stole the credentials to login in the portal, the user is redirected to the CartaSi website www.cartasi.it, like most of the phishing websites. This mechanism allows CartaSi to easily detect the phishing website, analyzing the logs of the web server.

The phishing website also contains a simple PHP shell called ttt.php that can be used to access the files in the web server. Below the code of ttt.php.

It is very easy to detect that this website is fake and belongs to a phisher.

So far ~15 credit cards were inserted and ~30 username/password where stolen. The awareness is still very low.

Netflix is one of the most popular streaming platforms , all over the world, especially because of the “hottest” TV series. But, this popularity has attracted also criminals, looking for new ways to steal money. During the last months Netflix has been targeted by malware, written to steal credit card information and user credentials. The attack uses the same methodologies used by financial malware like Dridex/Zeus: web injects.

Once the user has been infected, the malware waits till the user loads the Netflix webpage to login. As soon as the user accesses the page and the browser loads the content from the server, the malware injects the malicious HTML, JavaScript and CSS content.

The code is activated in case of GET or POST requests on *netflix.com*.

The injected JavaScript function pop(“div_to_show”) is called once the cookie has not been found. To trigger the modal, we can use the developers console and call the function “pop(‘popDiv’);”

As we can see, a modal is loaded in the page, claiming that it was not possible to confirm the user’s payment information. To keep using Netflix, the user must insert the credit card details and click “Continuar”.

The malware checks, weather the inserted credit card has a valid number or not.

Using a valid credit card is possible to submit the request, triggering the submitMe() JavaScript function (showed above).

Once the functions has been called, a call to the URL

https://p0o9i8u7y9.xyz/braz2/gate.php

is triggered

The information is collected from a drop zone that acts like a C&C (control and command) server, like in many financial malware Zeus-like. This kind of malware are always spread through malicious email drive-by-download attacks. Be careful on what you download from your mailbox.

Clone kit revealed

A new fake Dropbox phishing scam targeting users of the online sharing and storage platform is currently in circulation. The scam invites readers to view files shared by another Dropbox user, and click on a link that redirects to a phishing website.

However, this phishing scam tries to fool users into submitting username and password details of their email address (YAHOO, Outlook, Gmail,AOL or others) in order to gain access their account.

Clicking on the icons a modal pops up asking for credentials.

Once the credentials are filled and the “Submit” button is clicked, the credentials are sent through email to the phisher.

Analyzing the web server is possible to retrieve the clone kit used by the attacker to create the phishing website. The clone kit is very simple and developed with basic programming skills. Below the structure and the source code of submit.php. “form.php” and “index.php” are 99% composed by HTML code.

The developer downloaded all the icons to avoid recon.

Dropbox can easily identify this phishing attack analyzing the HTTPreferer field of the HTTP packet, because the phishing website redirects to the official dropbox website.

Recently my best friend received a call from his bank (Unicredit), telling him that his account was temporary blocked because of the risk of suspicious activities on it. He asked more informations about it, and they asked him if he, recently, put his credentials in a website similar to the official one. He replied that he didn’t do that, also with the official one; last time he used the online-banking it was many months ago. Result, they unblocked his account and he can use his money again.

2 minutes later he called me to tell me this story. I was lying on the couch checking my email, and my spam. While he was speaking one email catches my eyes;

Voila!

It looks like Unicredit is facing a massive phishing attack and they are blocking the accounts also without fraudulent evidences.

Interesting. Let’s analyze it a bit.

The clone kit used by the attackers is very similar to the others. The attack i not even sophisticated because it’s using just a form and an image like background. Below the structure.

The HTML files 1,2,3 are just redirect to the files cc.html, inside.html and inside2.html. Let’s analyze the php files.

1.png is the background of the login page

They look very simple. The PHP skills required in this case are very low.

index.php

Just a simple redirect that generates a random string including random.php. See below

This file is tracking all the victims saving their location. The results are saved into visit.txt file. Till now the amount of visitor is about 3175, most of them from Italy.

Going deeper through the other files, we can see that all the informations inserted by the victims in the phishing website are stored inside a txt file named pinco1.txt and sent by email to the attacker.

The obfuscated content of these files is reported at the end of this article.

The other PHP files are quite similar to each other :

The only difference it’s the redirect. They ask the victims to insert three times the OTP (One Time Password) in order to have the last one valid for 30-60 seconds and make transfers.

“The so-called “419” scam (aka “Nigeria scam” or “West African” scam) is a type of fraud named after an article of the Nigerian penal code under which it is prosecuted. It is also known as “Advance Fee Fraud” because the common principle of all the scam format is to get the victim to send cash (or other items of value) upfront by promising them a large amount of money that they would receive later if they cooperate. In almost all cases, the criminals receive money using Western Union and MoneyGram, instant wire transfer services with which the recipient can’t be traced once the money has been picked up. These services should never be used with people you only know by email or telephone!” (http://www.419scam.org)

Curious about that I started a nice conversation with the Nigerian guy, to see how the scam actually works.

Scammer

Dear Friend,
I am very happy to inform you about my success in getting that fund transferred. Now I want you to contact my secretary and ask him for a cheque worth of USD$800,000 which I kept for you as a compensation of your past assistance to me. His contact details is below;
Name: John Izualo.
Email; ( johnizualo6@yahoo.com )
Kindly reconfirm to him the following below information:
Your full name_________
Your address_______
Your country______
Your age__________
Your occupation______
Your Phone number_______
Note that if you did not send him the above information complete,he will not release the cheque to you because he has to be sure that it is you. Note also that I will not be reached by email or phone at this moment because I am currently in London for investment trip with my share.
Regards,
Dr.Peter Ikey Obi.

Me

Hello I received this mail from Dr.Peter Ikey Obi,
I didn't know how I helped him but I'm very happy to receive this bonus.
here may details for the transfer.
Your full name______Davide XXXX
Your address_______Via dei XXX
Your country_______Italy
Your age___________59
Your occupation______Director Sales at XXX
Your Phone number_______+3934877XXXXX
Regards,

Scammer

DEAR Davide XXXX,
WELL, I RECEIVE YOUR EMAIL AND ITS CONTENT AND I HAVE MADE SOME INQUIRES ACCORDING TO THE INSTRUCTIONS GIVEN TO ME BY MY BOSS BEFORE HE WENT TO LONDON AND I WANT YOU TO DO ME A FAVOR NOW TOWARDS YOUR FUNDS IN A CERTIFIED BANK CHEQUE ($800,000.00 USD), DO YOU WANT TO RECEIVE IT THROUGH BANK TO BANK WIRING TRANSFER OR DO YOU WANT IT THROUGH DELIVERY FROM COURIER COMPANY, I WANT YOU TO GET BACK TO ME TODAY CONCERNING THIS MATTER! AND IF YOUR CHOICE IS BANK TO BANK WIRING TRANSFER, PLEASE TRY TO FORWARD ME YOUR BANK ACCOUNT INFORMATION BECAUSE THE BANK HERE NEEDS IT TO TRANSFER YOUR FUND INTO YOUR ACCOUNT THERE OK.
BUT IF YOUR CHOICE IS THROUGH COURIER COMPANY, THEN I ALSO WANT YOU TO GET BACK TO ME AS SOON AS POSSIBLE, SO THAT I WILL MAKE THE REMAINING ARRANGEMENT WITH THE COURIER COMPANY HERE CONCERNING HOW TO DELIVERY YOUR CERTIFIED BANK CHEQUE OF $800, 000.00 USD TO YOU, BECAUSE YOUR ADDRESS IS ALREADY RECEIVED HERE OK.
THANKS AND HAPPY TO HEAR BACK FROM YOU,
YOURS SINCERELY,
JOHN IZUALO,
PHONE: +234-806-4228395.

Me

Hello Mr Jhon,
I would like to go through a courier company because I do not have currently my bank account available. What should I do?
Thanks
Best

Scammer

Dear Davide XXXX,
Well, I received your e-mail and its content but inquires I made today stated that delivering your cheque of USD$800,000.00 to you through courier company will only cost you $195.92 for its delivering through FedEx.
and you are required to send the delivering fee of $195.92 through western union or money gram money transfer in the below receiver's name information ok. As soon as you send the fee then get back to me with the MTCN and your cheque of $800, 000.00 must be delivered to you without wasting any time OK.
HERE IS THE RECEIVER'S NAME INFORMATION TO SEND THE REQUIRED FEE OF $195.92 THROUGH WESTERN UNION MONEY TRANSFER OR MONEY GRAM:
RECEIVER'S NAME: PETER NWAKOR
CITY: LAGOS
COUNTRY: NIGERIA
COUNTRY CODE: +234.
TEST QUESTION: IN GOD?
ANSWER: WE TRUST
Thanks,
Mr. John Izualo.
Phone: +234-806-4228395

Me

Hi Thanks a lot.
Tomorrow I will send the money. When I will receive the money?
Do you need more informations to send the money?
Thanks a lot thanks
Best

Everything was working fine and I was so happy to receive my payment of 800K $.

But I made I mistake. I waited too much to make the payment via WU and my Nigerian friend became angry 🙁

He replied to me the following:

Scammer

Am here to inform you that i have tried my best to make sure you receive your cheque, but i cansee that you are not serious about it, failure to compiler with me by the fee today and tomorrow, i will return the cheque to my boss first thing on Monday morning.

The weekend started and I cannot reach out to him anymore. He doesn’t answer anymore. My Yacht has to wait…. maybe the next scam will be the right one!!